import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.nio.charset.StandardCharsets;
import java.security.*;
import java.security.spec.*;
import java.util.*;
import java.util.zip.*;

/**
 * 直接测试：ep解密后就是密钥
 * 
 * 新理解：
 * 1. ep[1:33]直接作为密钥
 * 2. 但data可能没有IV前置，IV可能在其他地方
 */
public class DirectEPKeyTest {
    
    private static final String EP_ENCRYPTED = 
        "qt0AJsNLEfayUx7S15jLfmQvMOpW6JJ+jCoxeXxn676R2OiN6xpLIQWSYe8ETFUF4+AaGrVY1wMCdyUPVaHM0J+8m+q/PUFgbiP3N8xSKQc4lIzzZuckbybYiFuLbEhcblmy162S5B70UJxzB6grhIVpsG/h0uw+JPaS2yTPpPVCiN/SImdOw2g12cun6niAwRZSQktZikzzbjwkRoiO8ehrwlAFJircnT1/1zba2oaGXLc/yU6cM2vWgJdyyoXJF4Mo/5XNBTDT+8yr1hPC5MKHWcTBB/isrRTD5CczInLgXHl48KKz18GkpPM7MML1GHb4pIjfTvu8hv/SLLW0sg==";
    
    private static final String PRIVATE_KEY_PEM = 
        "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCz8JyumzBRR1njdxPzCFpqWXrAUBiC4ycTbTDdWdpZkciwiXU5s/OxF5i7l+Hvwc9Ggjph/PKo7PpWhxZpzyEGpd6yVN9jAjJOt23o2TesgK8L/DAMhdJL8gNxKAQumbGF+ebMbcS8jWLxvDAqpmnEW8VdCLEjF6uqOPtcDmIkBF83W6oaeu32DzTr/NS16sUGQKxlflo9qPOl7VtcIsbR52klKK4uIyY23tWCouiyG84c/Uit+PleD5EYUGEu3p7IAAG5uJNzeUd0UjZDhy6x7ue+kGgcCmCNQ4zSS/bQHMknalwqJUvUSxtIf8dq+/D78m7d4Zt9n9ZD27t4Z2jHAgMBAAECggEAAr15RVdrpvE1NzeLADpyVghCzEbr+KJI6AzTn6tMneyQZ8/QDy7kWSAI3WJ0uFf1Nhepl/BoKZZiQYsRFk9nK1i/SWvtcu6HoZc9fzw/ksrq333ZpXcsOqfW0ZRQa/0/LNEfaKGLS2vDw/afrSaXmbvkB4SoXeZwYMk5Wq+FYxL/alrNpg/lzdvBlsCsTDA0G2RZrUVaO5yRTLRisBU+i8yORgnGkEwWvKpZYSFogCHSiYHiNXFy//C+sYWlK7DjmG8/+krKhqBRRfdeg7LFThHQpbEGTtueD57jw0PCo2yr6dqTvW9Qys+aWVNJk7RHNaI0yBFKWPadaHi3/olzkQKBgQDmz/FDpztS0fjKDIOjgDyE76Z6dRFenmKJM1eOFt+MniY6/vi4ylU51/Etm4k6dNJ1MVBoFfyT9X0U/4k7GNNUfIxMCJztUgY6EaCCt+09wk8pIvmOlRCmtxGwvmVC4nJVgUj3XJQ+wseblAkkW0+IuT3GKX0CdKFMU4q9aucLYwKBgQDHk3rQ8Ae4ci4oj+MehRI29SNpcXG6OHbrZ2EdsgqiFC1o/qv0269jtmCP7IqkGMdhTQrVetTHjZNZJH2bvUZ4o/0YT2+TTFPIkTb2/a0txUTBTKrbnAdXh/iPFZAGvBROEDN0MNKo/vGAfi0K836DeTyBIaYongm66Rn6pwnUTQKBgBveVaougfoxAhIbSrWuISCH8xjsE6nSA+G/Aj5Uwq8u1TzgVlWxkHLIgQVZt0sImfSufJ/kr7eJt42WgRJSoAmedC4mCBSbh8bxI+lEne+MC5TS9UDi/Ly0c/1cL8vQna93ScEcO4YMbJ97U1NBdyvx+eR4U/C89lDJ8YGHa9gzAoGAQ6sYsHFCXOKyDeTDoFyEUYgKqrzhT7/HaofR4Oy2OEBZKUl4anx2WnvC/+m3FG6mY7JoovuT29mABXCe+khR9aO8tBpy/WGa4t2B4nse1e8WIehp4i5kOuSKfZFVFUN+Kv3JRHMtakmO/v9JLHZlBhT8U9hh61GygOJ6gYdTiN0CgYAFz9iPy/xqLOUwiTNp3ImzhdZo9ol3Qlr9CfMWMFHqRA5AyYvly9ZzxTpUCpSA+qz6OXqAjJ0bhGQxW2KHpmcTyNGOPPca2vCaW8Mb1NTQueXpUBqX7alIkrRjUUyULteLb8FtyYl7mR3TVIu3FoO5anNwDZ+2y7R9WUEiOzY3NA==";
    
    private static final String DATA_ENCRYPTED = 
        "wHBy2LDIay6WCgEybO8bw/5OxmVd4N++OJpwr/Tgjw+TA8iZ4HAy4bN8UWtwmeGz+dqU/zX6myCireq+q465rqUqpXLhma2aEPqTaNvUTv/Y71kVpkMBkgrjMnVkIi/iBV5eKsrTPfLWO8bt0mSbLM8ghswC2m2YRInkqWXHrc8Nw0JsNjwCllOUdtwe3NuIx8oQuQ2fqj1G3g3xMp6B4sWBNAo+SjTNuKnS4chvbaD3RYnGvSLyNYu+sqbKeRNofCwVn0lVrjCAGtC9d5nqhFiGw0vWksPfmCRn7vRsl7LnqcXb+Fal/hhREBsaRJdMrst3vOEeQI6pt3RGKZ3VOsliNziKbLiNnXp2zY2fin32okAFwIOczPgeQA1yAM4FCnuT9FYAMn5ecAOY7WFhJPcOqVThy0giCJrBzpIzEHXTin+BWBO1PR8wMzBqpf6us9mhBZGzu40mzVN34xXK646aMr8f2DcD9yGO20v5icEz3OUcAeayMq+YKmBoypmvQUnaGa8pjr7RfvvajY+7pu6QHqRAQ3NLY1KjIoT3PKjabb7owQ1Txw5+Ajfjen7VEeF/Dq03nPMtNOpqD3tCdWDHWir+akJcEPtPzK4Bo2K3FrLBZt2igZD6/04jtwoAojHibKqUM1Rj5h2iijH65eAU1XKTpqDPNtcP5lwa1bFNV+GvuzHM+N4gcoxiELhQeG7xiUcsZrJvadkDO2z+If9vLkXTSdMKrqozUjLRapyXpULcVL8negHnj+2vKZVdoGiDhXlm23XDFjLY91ZqX2eGfGNmpJxftl83N6q4dyXpzD2gR/chHfm0CukVlL8P8aPAfEDcAsyQETc5oVLzetGVSkGBbQl+axZu8U2Ap9CXaTi1b2VcI3he19nvgG8XEFnwP6Tbicm5PDDsiRjo2MRqfuPLWkcSHTmBlS6w8yrzAvth9x/bBLg8XLs8M/B/dKSfOa9sbptfTMmEuuhWbnqCyqnFSUt8lsFlcUbJdK02TcMbd789pANnrKTTfFeOUehu5XReHng4DfV7f6boQmJPnZfwuR8qFwp7vwme235RTloktlkQu/2QFl2LmCv+/8Za43dEdFba9Ae6I1p+50zunyIjGTE6/9RT+g/zgagzgV/qDDSM5VF6E2Ic62W/KkpfSPMHAk5Jwg0LlsSMnFXYCynZoDZ5M8s62V15VaEII3s/6wPCu4lba/BxPanRtw60EVsvrJ7B0mnG+hcW8AGVeG1ZBIhgPH887/bY+05b0MnSkhjlrys8GKSaukVbtnrLJmjePt+LdLe6tH2NTwxjbHhJR028ZWaQKvdC5BD2hRflDMBPKL68D6YJ2bitqnKKdEqYHdCMXtOXh68XUqwfkoF3phQtYHyrqF4Wsgukf3/gAlt/yF0dXFTIUzoDTc34MEAaLFENVFDt4PUnYw2SRT8i/bhi3tcavu6Hnjs=";
    
    private static String bytesToHex(byte[] bytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
    
    public static void main(String[] args) {
        System.out.println("=".repeat(80));
        System.out.println("直接测试：ep解密数据作为密钥");
        System.out.println("=".repeat(80));
        
        try {
            // 1. RSA解密ep
            byte[] epBytes = Base64.getDecoder().decode(EP_ENCRYPTED);
            byte[] privateKeyBytes = Base64.getDecoder().decode(PRIVATE_KEY_PEM);
            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
            
            Cipher rsaCipher = Cipher.getInstance("RSA/ECB/NoPadding");
            rsaCipher.init(Cipher.DECRYPT_MODE, privateKey);
            byte[] epDecrypted = rsaCipher.doFinal(epBytes);
            
            System.out.println("\n✅ ep解密成功");
            System.out.println("ep完整长度: " + epDecrypted.length + " 字节");
            System.out.println("ep完整内容: " + bytesToHex(epDecrypted));
            
            // 2. 提取可能的密钥
            byte[] epKey = Arrays.copyOfRange(epDecrypted, 1, 33);
            System.out.println("\nep[1:33]作为密钥:");
            System.out.println(bytesToHex(epKey));
            
            // 3. 尝试不同的IV来源
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            
            System.out.println("\n" + "-".repeat(80));
            System.out.println("测试1: 使用data前16字节作为IV（IV前置模式）");
            System.out.println("-".repeat(80));
            
            byte[] iv1 = Arrays.copyOf(dataBytes, 16);
            byte[] ciphertext1 = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            System.out.println("IV: " + bytesToHex(iv1));
            System.out.println("密文长度: " + ciphertext1.length);
            
            testDecryption(epKey, iv1, ciphertext1, "IV前置模式");
            
            System.out.println("\n" + "-".repeat(80));
            System.out.println("测试2: 使用全零IV");
            System.out.println("-".repeat(80));
            
            byte[] iv2 = new byte[16];
            testDecryption(epKey, iv2, dataBytes, "全零IV + 完整data");
            
            System.out.println("\n" + "-".repeat(80));
            System.out.println("测试3: 使用ep中的另一个16字节作为IV");
            System.out.println("-".repeat(80));
            
            // 尝试ep[33:49]作为IV
            byte[] iv3 = Arrays.copyOfRange(epDecrypted, 33, 49);
            System.out.println("IV from ep[33:49]: " + bytesToHex(iv3));
            testDecryption(epKey, iv3, ciphertext1, "ep[33:49]作为IV");
            
            // 尝试ep的最后16字节作为IV
            byte[] iv4 = Arrays.copyOfRange(epDecrypted, 240, 256);
            System.out.println("IV from ep[240:256]: " + bytesToHex(iv4));
            testDecryption(epKey, iv4, ciphertext1, "ep[240:256]作为IV");
            
            System.out.println("\n" + "=".repeat(80));
            System.out.println("结论");
            System.out.println("=".repeat(80));
            System.out.println("如果上述测试都失败，说明：");
            System.out.println("1. ep中的数据不是直接的AES密钥");
            System.out.println("2. 或者还需要其他信息来派生密钥");
            System.out.println("3. 建议使用Frida在运行时捕获密钥");
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    private static void testDecryption(byte[] key, byte[] iv, byte[] ciphertext, String description) {
        try {
            SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            byte[] decrypted = cipher.doFinal(ciphertext);
            
            System.out.println("  ✅ AES解密成功！");
            System.out.println("  解密后长度: " + decrypted.length + " 字节");
            System.out.println("  前32字节: " + bytesToHex(Arrays.copyOf(decrypted, Math.min(32, decrypted.length))));
            
            // 尝试解压
            try {
                Inflater inflater = new Inflater(true);
                inflater.setInput(decrypted);
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                byte[] buffer = new byte[1024];
                while (!inflater.finished()) {
                    int count = inflater.inflate(buffer);
                    baos.write(buffer, 0, count);
                }
                byte[] decompressed = baos.toByteArray();
                String result = new String(decompressed, StandardCharsets.UTF_8);
                
                if (result.length() > 10 && result.contains("{")) {
                    System.out.println("\n🎉🎉🎉 成功解密并解压！🎉🎉🎉");
                    System.out.println("=".repeat(80));
                    System.out.println("方法: " + description);
                    System.out.println("密钥: " + bytesToHex(key));
                    System.out.println("IV: " + bytesToHex(iv));
                    System.out.println("=".repeat(80));
                    System.out.println("\n解密内容:");
                    System.out.println(result);
                    System.out.println("\n=".repeat(80));
                    System.exit(0);
                } else {
                    System.out.println("  ❌ 解压后不是有效JSON");
                }
            } catch (Exception e) {
                System.out.println("  ❌ 解压失败: " + e.getMessage());
            }
        } catch (Exception e) {
            System.out.println("  ❌ AES解密失败: " + e.getMessage());
        }
    }
}



